If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: [Video] How to: Snifff SSL / HTTPS (sslstrip)

So, I understand in principle and practice how this works... and I am aware that sslstrip offers a lock favicon to give the illusion of a secure connection. However, that lack of the HTTPS in the address bar is a dead giveaway.

Lately, I've been playing around with Cain & Abel. Besides having a better GUI, C&A seems to be able to maintain the HTTPS as well. What I'm wondering is how does this program accomplish this and how is it different from sslstrip. On the surface, it seems to be the same type of arp poisoning mitm attack.

if we are using sslstrip why uncoment redir_command? that command is supposed to sniff ssl traffic and if we already using sslstrip, that will bring conflicts between the two right? Maybe because of that, many of people here are having problems with messages saying cert isnt valid (because is how redir_command works to get ssl info, from what i know).

Also Eterrcap forwards all traffic automatically if sniffing, i dont know any command to make it stop doing that, wich means if we have ip_forward=1 and eterrcap running, we are forwarding traffic x2 times(you can confirm in wireshark). not pretty

Re: [Video] How to: Snifff SSL / HTTPS (sslstrip)

Originally Posted by Warwulf

So, I understand in principle and practice how this works... and I am aware that sslstrip offers a lock favicon to give the illusion of a secure connection. However, that lack of the HTTPS in the address bar is a dead giveaway.

Lately, I've been playing around with Cain & Abel. Besides having a better GUI, C&A seems to be able to maintain the HTTPS as well. What I'm wondering is how does this program accomplish this and how is it different from sslstrip. On the surface, it seems to be the same type of arp poisoning mitm attack.

Thoughts?

How is it a "dead giveaway"? I can remember seeing a video (Blackhat 2009) of the author of the software, ran a modded(*) version on Tor for 24 hours, not one person did detect the missing "S"...

(*) = The modded version didn't record anyone personal details.
It would only collect which URLs it was stripping, and if the user did or didn't send a request back. Every person sent the request back (to login).
He had to check that he had it setup right because he didn't believe it was working correctly!

Personally, I haven't used Cain & Abel too much so I can't comment that much on it, but as far as I know it an AIO GUI tool, that does HTTPS by "injects fake certificates".
After doing a quick Google search: CAIN and ABEL Tutorial 2 | Hackers Library, it looks like they get a "pop-up dialog warning about the problem". I haven't tried this so I cant say for sure.It also looks like a very old version of IE that they are using....
SSLStrip = Removes HTTPS
Cain & Abel = Injects into HTTPS

Cain also does the MITM attack (via ARP poisoning), were as SSLSrip doesn't do any MITM'ing, its down to the user to choose how to do the MITM (as there is more than one!)

Originally Posted by kamiz9999

thank you for this tutorial, works perfect on my home network.

my setup : 4 computers connected via wifi

the only bad thing is the internet speed is terribly slow on the victim machine

is there a way to avoid the drop of the speed ? better hardware ?

All the traffic on all 4 computers, has to go though your computer therefore it's creating a bottle neck effect. As far as I know the only way to stop it from slowing down is to increase the bandwidth (create a bigger pipe as of such, example move from 100MB to 1GB), or attack less computers at once.

Originally Posted by f4llcon

Hello
g0tmi1k, thank you for the great tut!

I have a problem with the sslstip. On the victim computer it will still show up a warning when i go on hotmail.com or mail.google.com or every other https:// website.

What am i doing wrong? I retried over and over with your tut and other tuts. But none work.

Last night i tried it on my other computer on my other network and it worked great with

but none work now ? i will retry it when i am on my other network but why it isn't working in this network? I also tried in on one other network but there was the same problem.

This is legal question for myself only and i am only using my own 3 networks.

Thanks, hope to hear what's the problem.

F4LLCON

Are you (or is a addon - e.g. ForceTLS) going straight to a HTTPS page (https://mail.google.com)? Or is the page that is being requested forcing HTTPS (I know there is an option in Gmail to enable this)?
SSLStrip only works if you link to a HTTPS, if the user manually types in HTTPS://, it will not work.

Few things abot the above commands:
> It doesn't matter which way around you do kate & echo.
> The target ISN'T the same. Nor isn't the gateway.
> I'm not sure if --to-ports (an extra "s" at the end) is a typo or if it matters. Its been a while, and my iptable fu isn't great.
> SSLtrip default port is 10000, so you don't need to put it in
> Did you try and to the last bit, "grepping" on my commands? I dunno what you're trying to sniff.

Originally Posted by aeronavi

if we are using sslstrip why uncoment redir_command? that command is supposed to sniff ssl traffic and if we already using sslstrip, that will bring conflicts between the two right? Maybe because of that, many of people here are having problems with messages saying cert isnt valid (because is how redir_command works to get ssl info, from what i know).

Also Eterrcap forwards all traffic automatically if sniffing, i dont know any command to make it stop doing that, wich means if we have ip_forward=1 and eterrcap running, we are forwarding traffic x2 times(you can confirm in wireshark). not pretty

then just open the file and seek for important fields, its not difficult.

Note that to flush iptables, the command

Code:

iptables --flush

will not work, (at least for me).
You got to use

Code:

iptables -t nat --flush

Thanks for the tips aeronavi. I've got to be honest, I haven't used SSLStrip in a while, and its been even longer since I've used ettercap.
I agree with you on ettercap enabling ip_forward (handy, but annyoying also dont know of a way to stop it when doing an MITM attack), as if you were to do:

*Note: that's coming from the top of my head*
However, I was was using arpspoof to do the MITM attack, it doesn't do ip forwarding automatically, hence why I did it.
I forgot about ettercap doing ip_forward, even when your not using it to do the MITM attack.

The reasoning why I did redir_command, was I was showing demostrating before and after sslstrip.
Before I ran SSLStrip, I was using HTTPS with ettercap, hence I needed redir_command.
After running SSLStrip, I found out that I didn't need to change redir_command back.

Short answer: Yes, that could be why some people are getting errors due to "redir_command" & "ip_forward". I'm not sure why it works for some but not others at the moment.
People do keep getting in touch about this, and its old (also wrong as you pointed out), so I may end up doing an update to it.

Re: [Video] How to: Snifff SSL / HTTPS (sslstrip)

Re: [Video] How to: Snifff SSL / HTTPS (sslstrip)

Thanks for great video!

I have an problem to do this on my new NETGEAR router, all computers who ware connected to this new router gets an IP: 10.0.0.X and the router IP gateway is: 10.0.0.1

Ettercap only find 10.0.0.1 the router default gateway when i scan, the other computers who is connect to it doesnt show up, can't find them. Why's that? Is it to good secured? How will i do to see the other victims who are connected to this router?

Re : [Video] How to: Snifff SSL / HTTPS (sslstrip)

First of all thanks to g0tmi1k for this amazing tutorial !

However I was able to sniff SSL passwords without typing all these commands. All I did was uncomment the 2 lines from /etc/etter.conf then run Ettercap with ARP Poisonning. Then I was able to sniff all ssl passwords without problem. What am I doing wrong ?

2nd question : I hacked my own network (I'm the admin) with Ettercap. Do I need do delete the fake certificates installed on the victim's computer during the test ? If I don't delete them, is it possible for a hacker who breaks into my network to "reuse" these fake certificates ? thanks.

Re: [Video] How to: Snifff SSL / HTTPS (sslstrip)

I g0t Mi1k!
Thanks a lot for this, took a bit of tweeking to get things going smoothly but in the end everything was peachy! Again, thank you!

So this was my first successful 'hack', if you will! Like I said it took a bit of tweeking to get going, but any bumps I hit were because I lacked a full understanding of what I was doing... So I'm just gonna list off a couple of things I'm uncertain of.

So I'm on my own private address space on my little LAN. Finest.
I'm using Ettercaps GUI, to carry out the ARP spoofing. - failed on my first attempt to execute this in Shell, I'll get back to it later. For now the GUI will suffice.

Our first command:

Code:

echo 1 >/proc/sys/net/ipv4/ip_forward

What exactly is happening here? I examined the file hoping for a hint as to what this is & what it's doing - but to no avail. What kind of file is this?
I'm taking a stab at it what this command does.
Are we simply setting our attacking machine to allow forwarding of any IPs that we intercept?

After that I think I understand whats happening... so ya that's all for now!
Where should my step in security exploits be, any recommendations?

Thanks again g0tMi1k.
Hugs etc etc

P.S.

I tested this out on the following:
Gmail
Hotmail (Cert warning flashed up once after logon.)
(Chrome, page layout distorted after logon)
Vodafone.com
warez-bb